Configure SSO/OAuth with Google

For general information on OAuth and how you can get your Single Sign-On (SSO) with working with SpamExperts, see Configure OAuth/Single Sign-On (SSO).

Step 1 - Configure Google API Console

  1. Login to Google API Console
  2. Add a project:
    1. Create OAuth consent. Enter:
      1. Email address: Your email address
      2. Product name: Project name
      3. Homepage URL: https://primary.domain.invalid
      4. Product Logo (optional)
      5. Privacy policy URL (optional): Link to your Privacy policy
      6. Terms of services URL (opional): Link to your Terms of Service
    2. Click Save
  3. Setup OAuth credentials:
    1. Click OAuth client ID
    2. Select WEB application
    3. Add a name e.g.test
    4. Authorized JavaScript origins
      • This should contain the hostname of your cluster and the branded / custom hostname that you’ve chosen to use in your branding
      • This should contain both https:// and http:// links e.g.
        • https://mycustom.demo-domain.invalid (branded hostname)
        • http://mycustom.demo-domain.invalid (branded hostname)
    5. Authorized redirect URIs - needs to point to the authorized redirect endpoint setup on your cluster
      • This should contain the branded / custom hostname that you’ve chosen to use in your branding
      • This should contain both https:// and http:// links e.g.
        • http://mycustom.demo-domain.invalid/rest/auth/openid/authorize/mailbox
        • https://mycustom.demo-domain.invalid/rest/auth/openid/authorize/mailbox
    6. Click Create
    7. This returns:

      • Client ID number
      • Client Secret
      • These are required for the interface setup.

Step 2 - Configure Google Details in SpamExperts

  1. Log into your SpamExperts Control Panel using your branded URL (this is set up in the Hostname field in the Branding Management page. See Create a Custom Control Panel URL)
  2. In the Admin Level Control Panel, select Branding > Branding Management
  3. Ensure that SSO/OAuth login for email users is enabled
  4. Add the label text that will be displayed on the login button
  5. Click Save
  6. Navigate to the domain, by selecting General > Domains Overview and click on the relevant domain
  7. Select Users & Permissions > OAuth Settings and make sure that OAuth login is toggled on
  8. Complete the following details:
    • Provider URL - For Google setup this will always be: https://accounts.google.com
    • Client ID - This was provided in Step 1 - Configure Google API Console (above)
    • Client Secret - This was provided in Step 1 - Configure Google API Console (above)
    • Token Endpoint - for Google this will always be: https://www.googleapis.com/oauth2/v4/token
    • Authorization Endpoint - For Google this will always be: https://accounts.google.com/o/oauth2/v2/auth
    • User info endpoint - For Google this will always be: https://openidconnect.googleapis.com/v1/userinfo
    • User Identification Method - select Verified Email
    • Jwks Url - For Google this will always be: https://www.googleapis.com/oauth2/v3/certs
    • Use Nonce Validation - Select Yes
  9. Click Save

The login page for users on that domain will now display the new login button allowing authorization with Google OAuth2.0.

Although we strive to provide the most up-to-date information, the instructions covered in the Google configuration may change without our knowledge. To ensure you have the correct up-to-date information, please refer to Google's website. For Google's OAuth 2.0 authentication details see https://developers.google.com/identity/protocols/OpenIDConnect.